b'           Report No. D-2010-038                       January 25, 2010\n\n\n\n\n          Identification of Classified Information\n             in an Unclassified DoD System\n             and an Unsecured DoD Facility\n\n\n\n\n                                          Warning\n\xe2\x80\x9cThe enclosed document(s) is (are) the property of the Department of Defense, Office of\nInspector General. Release or disclosure of the contents is prohibited by DOD Directive\n5106.1. Contents may be disclosed only to persons whose official duties require access\nhereto. Contents cannot be released outside the Defense Department without the approval of\nthe Department of Defense, Office of Inspector General.\xe2\x80\x9d\n\x0cAdditional Copies\nTo obtain additional copies of this report, contact the Secondary Reports Distribution\nUnit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing by phone (703) 604-9142 (DSN 664-9142), by fax (703) 604-8932, or by mail:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nDDS                           Deployable Disbursing System\nDFAS                          Defense Finance and Accounting Service\nOIF                           Operation Iraqi Freedom\nUSCENTCOM                     United States Central Command\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n\x0c\x0cFOR OFFICIAL USE ONLY\n\x0cReport No. D-2010-038 (Project No. D2007-D000FL-0252.002)                   January 25, 2010\n\n\n               Results in Brief: Identification of Classified\n               Information in an Unclassified DOD System\n               and an Unsecured DOD Facility\n\nWhat We Did                                        What We Recommend\nThe objective of the audit was to determine        We recommend that the Assistant Secretary of\nwhether the internal controls over transactions    the U.S. Army (Financial Operations):\nprocessed through the Deployable Disbursing\nSystem (DDS) were adequate to ensure the              \xe2\x80\xa2   identify DDS disbursement transactions\nreliability of the data processed. The audit              that contain classified information and\nincluded financial information processed by               remove the classified information from\ndisbursing stations supporting the Operation              the system and\nIraqi Freedom and included the recording of\nrelated obligations. In completing this               \xe2\x80\xa2   identify and properly mark the vouchers\nobjective, we identified an urgent issue related          containing classified information housed\nto the U.S. Army mishandling of classified                at DFAS Rome.\ninformation.\n                                                   In addition, we recommend that the Director,\nWhat We Found                                      DFAS:\nThe U.S. Army did not have effective internal\ncontrols over the handling of classified              \xe2\x80\xa2   identify and remove classified\ninformation to prevent the:                               information from DDS databases housed\n                                                          by DFAS, Indianapolis Operations and\n   \xe2\x80\xa2   processing of 655 transactions\n       containing classified information into         \xe2\x80\xa2   move classified documentation to a\n       DDS and                                            secure storage facility.\n\n   \xe2\x80\xa2   submission of at least 40 disbursement      Management Comments and\n       vouchers containing unmarked classified     Our Response\n       information for storage at a vulnerable\n                                                   The Deputy Assistant Secretary of the U.S.\n       Defense Finance and Accounting\n                                                   Army (Financial Operations) and the Director,\n       Service (DFAS) Rome facility.\n                                                   DFAS Information and Technology, agreed with\n                                                   our recommendations. Management comments\nThe unauthorized disclosure of classified\n                                                   were responsive to the recommendations and no\ninformation in an unclassified system, such as\n                                                   additional comments are required. Please see\nDDS, or at a vulnerable facility could place\n                                                   the recommendations table on page ii.\nunsuspecting warfighters or trusted foreign\nofficials in harm\xe2\x80\x99s way and cause damage to\nnational security.\n\n\n\n\n                                               i USE ONLY\n                                     FOR OFFICIAL\n                                               i\n\x0cReport No. D-2010-038 (Project No. D2007-D000FL-0252.002)            January 25, 2010\n\nRecommendations Table\n\nManagement                        Recommendations           No Additional Comments\n                                  Requiring Comment         Required\nAssistant Secretary of the U.S.                             1.a and 1.b\nArmy (Financial Operations)\nDirector, Defense Finance and                               2.a and 2.b\nAccounting Service\n\n\n\n\n                                  FOR OFFICIAL USE ONLY\n                                            ii\n\x0cTable of Contents\n\nIntroduction                                                   1\n\n      Objective                                                1\n      Background                                               1\n      Review of Internal Controls                              2\n\nFinding. Army Classified Information                           3\n\n      Management Actions                                       4\n      Management Comments on the Finding and Our Response      4\n      Recommendations, Management Comments, and Our Response   5\n\nAppendix\n\n      Scope and Methodology                                    7\n          Prior Coverage                                       7\n\nManagement Comments\n\n      Department of the Army                                    8\n\n      Defense Finance and Accounting Service                   10\n\n\n\n\n                                    FOR OFFICIAL USE ONLY\n\x0cFOR OFFICIAL USE ONLY\n\x0cIntroduction\nObjective\nThe objective of the audit was to determine whether the internal controls over\ntransactions processed through the Deployable Disbursing System (DDS) were adequate\nto ensure the reliability of the data processed. The audit included financial information\nprocessed by disbursing stations supporting the Operation Iraqi Freedom (OIF) and\nincluded the recording of related obligations. In completing this objective, we identified\nan urgent issue related to the U.S. Army mishandling of classified information. For\nscope and methodology used and a discussion of prior coverage related to the objective,\nplease see the appendix of this report.\n\nBackground\nOn May 22, 2008, the DOD Inspector General Audit Report D-2008-098, \xe2\x80\x9cInternal\nControls Over Payments Made in Iraq, Kuwait, and Egypt,\xe2\x80\x9d addressed a material internal\ncontrol weakness over in-theater payments. In response to a draft of that report, the\nUnder Secretary of Defense (Comptroller)/ Chief Financial Officer stated that the\nimplementation of DDS would improve the controls. As a follow-up to \xe2\x80\x9cInternal\nControls Over Payments Made in Iraq, Kuwait, and Egypt,\xe2\x80\x9d we reviewed the controls\nover commercial and miscellaneous payments processed through DDS. This audit is the\nthird of a series that addresses the internal controls and data reliability of DDS. The first\naudit reported that the U.S. Marine Corps recorded classified information in unclassified\nDOD systems. The second audit addressed the U.S. Marine Corps\xe2\x80\x99 internal controls\nrelated to the use of DDS. The fourth audit will cover the U.S. Army\xe2\x80\x99s use of DDS.\n\nDDS captures disbursement information for commercial and miscellaneous payments\nprocessed by the U.S. Army disbursing stations, including those supporting OIF. The\nDefense Finance and Accounting Service (DFAS) site at Rome, New York, maintains\ndocumentation supporting these OIF payments.\n\nDFAS developed DDS to fulfill the need for a military tactical disbursing system to\naccount for U.S. Treasury funds entrusted to disbursing agents on the battlefield and\nprovide timely reporting of accounting and pay information. DDS is an unclassified\nsystem that is used for a variety of disbursing office functions, including travel pay,\nmilitary pay, accounts payable, disbursing and collection processes, and reporting.\nDuring FYs 2006 through 2008, DDS processed in excess of 275,456 commercial and\nmiscellaneous payments for at least $13.2 billion. The U.S. Army disbursing stations\nsupporting OIF submit DDS supporting documents (disbursement vouchers, invoices,\nand receiving reports) to DFAS Rome for storage.\n\nClassified Information Requirements\nDOD 5200.1-R, \xe2\x80\x9cDOD Information Security Program,\xe2\x80\x9d January 1997, prescribes\nprocedures for implementing Executive Order 12958, \xe2\x80\x9cClassified National Security\nInformation,\xe2\x80\x9d April 20, 1995, within DOD. This security program establishes the DOD\n\n                              FOR OFFICIAL USE ONLY\n                                        1\n\x0cInformation Security Program to promote proper and effective classification, protection,\nand downgrading of official information requiring protection in the interest of the\nnational security. It provides specific requirements for the storage of classified\ninformation in a locked security container, vault, room, or area.\n\nU.S. Central Command (USCENTCOM) Security Classification Guide 0501, dated\nJune 9, 2005, implements the requirements of Executive Order 12958 for USCENTCOM.\nThe USCENTCOM Security Classification Guide 0501 establishes the basic policies for\nproper classification, downgrading, and declassification of information related to\noperations, facilities, communications, data collection, and processing. Personnel\ninvolved in USCENTCOM activities use the USCENTCOM Security Classification\nGuide 0501 to determine the levels of security classification assigned to information,\nsystems, programs, or projects associated with USCENTCOM, including information\nprocessed by disbursing stations supporting OIF.\n\nReview of Internal Controls\nDOD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC) Program Procedures,\xe2\x80\x9d\nJanuary 4, 2006, requires DOD organizations to implement a comprehensive system of\ninternal controls that provides reasonable assurance that programs are operating as\nintended and to evaluate the effectiveness of the controls. We identified internal control\nweaknesses for the U.S. Army. The U.S. Army did not have effective internal controls\nover the handling of classified information. Implementing Recommendations 1 and 2\nwill help prevent unauthorized disclosure of classified information. We will provide a\ncopy of the report to the senior U.S. Army official responsible for internal controls.\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       2\n\x0cFinding. Army Classified Information\nU.S. Army internal controls did not prevent the input of classified information into DDS\nand did not ensure that classified information was properly marked in disbursement\ndocumentation. This occurred because the U.S. Army did not comply with\nUSCENTCOM Security Classification Guide 0501 when handling classified information.\nThe unauthorized disclosure of classified information in unclassified systems, such as\nDDS, or at a vulnerable facility could place unsuspecting warfighters or trusted foreign\nofficials in harm\xe2\x80\x99s way and cause damage to national security.\n\nDDS Databases\nThe U.S. Army processed 655 classified disbursement transactions through DDS, which\nis an unclassified system. At least 132 disbursement vouchers from the U.S. Army DDS\ndatabases contained classified information in the \xe2\x80\x9cArticles or Services\xe2\x80\x9d field or in the\n\xe2\x80\x9cPayee\xe2\x80\x9d field. We reviewed the 682 transactions contained in the 132 disbursement\nvouchers and determined that 655 transactions contained classified information. These\ntransactions included sensitive information pertaining to reward payments. Because DDS\nis an unclassified system, the U.S. Army should not have processed classified\ninformation through DDS. The U.S. Army should take corrective action to identify and\nremove classified information from its DDS databases. In addition, because DFAS,\nIndianapolis Operations, maintains export files of the U.S. Army DDS databases, DFAS\nshould also identify and remove classified information from the DFAS databases.\n\nDisbursing Documentation\nThe U.S. Army did not properly mark classified information in its disbursing\ndocumentation. The U.S. Army did not mark the disbursing documentation with a\nclassification in accordance with USCENTCOM Security Classification Guide 0501.\nSpecifically, the U.S. Army submitted disbursing documentation for reward payments\ncontaining information that the USCENTCOM Security Classification Guide 0501\ncategorizes as classified. During a May 2009 visit to DFAS Rome, we reviewed 40\nhard-copy documents that related to the 132 DDS disbursement vouchers containing\nclassified information. The hard-copy documents were stored in an inadequately secured\nwarehouse, and all 40 hard-copy documents contained classified information, including\nsensitive reward payment information. DFAS Rome personnel stored this documentation\nin a warehouse that was not adequate to safeguard classified information. According to\nDOD 7000.14-R, \xe2\x80\x9cDOD Financial Management Regulation,\xe2\x80\x9d volume 5, chapter 11, the\npaying disbursing or voucher preparing office must retain the classified portion of the\ndisbursement documentation. If the U.S. Army had properly marked the classified\ndocuments, it may not have submitted them to DFAS Rome for storage.\n\nWe informed DFAS Rome that these 40 disbursement vouchers contained the same\nclassified information as posted in DDS and that they needed to properly secure them.\nWe notified DFAS Rome of an additional 16 disbursement vouchers that contained\nclassified information. DFAS Rome security personnel agreed that the warehouse used\nto store these documents was inadequate for storage of classified information and stated\n\n                             FOR OFFICIAL USE ONLY\n                                       3\n\x0cthat they were in the process of building a secure facility. DFAS personnel stated that\nthey would sanitize the 40 vouchers and move classified information to a safe. To\nprevent the release of classified information, the U.S. Army should review the\ndisbursement documentation housed in the DFAS Rome storage facility to identify and\nproperly mark the vouchers containing classified information. Upon completion of the\nU.S. Army\xe2\x80\x99s review, DFAS should store the disbursement vouchers containing classified\ndocumentation in a secure facility, as specified in DOD 5200.1-R, \xe2\x80\x9cDOD Information\nSecurity Program.\xe2\x80\x9d\n\nManagement Actions\nOn April 2, 2009, the Deputy Assistant Secretary of the U.S. Army (Financial\nOperations) issued a memorandum regarding the processing of sensitive payments made\nin contingency operations. The memorandum requires that all payments made in\ncontingency operations under the rewards program be processed using procedures for\nclassified documents. This memorandum prescribes procedures for the handling of\ncurrent and future documentation containing sensitive information. However, it does not\ncorrect the preexisting conditions identified in this report.\n\nAccording to the Director of DFAS Rome, to mitigate the risk of exposure of classified\ninformation, DFAS restricted access to the warehouse requiring individuals to have at\nleast a SECRET clearance. DFAS also created policy prohibiting individuals from\nbringing storage devices, such as cell phones and cameras, into the warehouse.\n\nConclusion\nBecause of the potential exposure of classified information and the consequential risk of\nplacing unsuspecting warfighters or trusted foreign officials in harm\xe2\x80\x99s way, the U.S.\nArmy and DFAS should take immediate action to implement the recommendations stated\nin this report.\n\nManagement Comments on the Finding and Our\nResponse\nManagement Comments on the Storage of Classified Information\nThe Director, DFAS Information and Technology, requested that the following\nstatements be added to the report:\n\n    \xe2\x80\xa2 \xe2\x80\x9cDFAS Rome completed the construction of the secure facility post-audit and\n      expects Corps of Engineers to verify completion of the secure facility\n      construction by 30 October 2009,\xe2\x80\x9d to page 3, paragraph 4, and\n\n    \xe2\x80\xa2 \xe2\x80\x9cPer DFAS security protocol red-tagged boxes have been moved post-audit from\n      the controlled warehouse to the new secured environment storage room,\xe2\x80\x9d to\n      page 4, paragraph 1.\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       4\n\x0cAudit Response\nWe have included the full text of the Director, DFAS Information and Technology,\nrequested additions to the report (see the DFAS Comments section in this report). On\nOctober 18, 2009, the Director, DFAS Rome, clarified that the U.S. Army Corps of\nEngineers did not have to certify the facility. The Director, DFAS Corporate Security,\ncertified that the new storage facility complied with DOD 5200.1-R, \xe2\x80\x9cDOD Information\nSecurity Program\xe2\x80\x9d requirements. On November 2, 2009, the Director, DFAS Rome,\napproved the use of the facility for secure storage of classified material. We met with the\nDirector, DFAS Corporate Security, on November 6, 2009, and confirmed that DFAS\nmoved documentation that they confirmed to contain classified information into this\nsecure facility.\n\nRecommendations, Management Comments, and Our\nResponse\n1. We recommend that the Assistant Secretary of the U.S. Army (Financial\nOperations):\n\n       a. Identify which Deployable Disbursing System disbursement transactions\n       contain classified information and remove the classified information from the\n       system.\n\nManagement Comments\nThe Deputy Assistant Secretary of the U.S. Army (Financial Operations) agreed. He\nstated that the Defense Finance and Accounting Service (DFAS) prepared Deployable\nDisbursing System scripts that identified and replaced classified information. He\nexplained that this script was run against centrally stored and in-theater databases and\nalso provided to audit agencies using these databases. In addition, he stated that the\nArmy Central Command and DFAS coordinated the cleansing of hardware.\n\nOur Response\nThe Deputy Assistant Secretary of the U.S. Army (Financial Operations) comments are\nresponsive to the recommendation and no additional comments are required.\n\n       b. Review the disbursement documentation housed in the Defense Finance\n       and Accounting Service Rome storage facility to identify and properly mark\n       the vouchers containing classified information.\n\nManagement Comments\nThe Deputy Assistant Secretary of the U.S. Army (Financial Operations) partially agreed.\nHe stated that the Army has partnered with DFAS to review vouchers for classified\ninformation. He also stated that the immediate focus is on incoming documents and\nthose already scanned into an imaging system. He added that boxes of older documents\nwere tagged for transfer to a secure facility and subsequent review for classified\ninformation prior to scanning.\n\n                             FOR OFFICIAL USE ONLY\n                                       5\n\x0cOur Response\nThe Deputy Assistant Secretary of the U.S. Army (Financial Operations) comments are\nresponsive to the recommendation because DFAS has completed a new secure storage\nfacility that meets the requirements of DOD 5200.1-R and has moved documentation\nconfirmed to contain or potentially containing classified information to this facility.\nTherefore, no additional comments are required.\n\n2. We recommend that the Director, Defense Finance and Accounting Service:\n\n       a. Identify which Deployable Disbursing System disbursement transactions\n       stored in databases housed by Defense Finance and Accounting Service,\n       Indianapolis Operations, contain classified information and remove the\n       classified information from the databases.\n\nManagement Comments\nThe Director, DFAS Information and Technology, agreed and stated that all Deployable\nDisbursing System databases have been scanned and classified data have been identified\nand removed. This action was completed in September 2009.\n\nOur Response\nThe Director, DFAS Information and Technology, comments are responsive to the\nrecommendation and no additional comments are required.\n\n       b. Move documentation containing classified information, as identified by\n       the auditors and the U.S. Army, to a storage facility that meets the classified\n       information storage facility requirements specified in DOD 5200.1-R, \xe2\x80\x9cDOD\n       Information Security Program,\xe2\x80\x9d January 1997.\n\nManagement Comments\nThe Director, DFAS Information and Technology, agreed and stated that as of\nSeptember 30, 2009, DFAS Rome has a sensitive document facility which meets the\nclassified information storage facility requirements specified in DOD 5200.1-R.\nDocumentation containing classified information is now stored within this facility.\nAdditionally, procedures have been implemented to restrict access to the controlled\nwarehouse.\n\nOur Response\nThe Director, DFAS Information and Technology, comments are responsive to the\nrecommendation and no additional comments are required.\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       6\n\x0cAppendix. Scope and Methodology\nWe conducted this performance audit on the identification of classified information\nduring January through September 2009, in conjunction with the performance of the\naudit, \xe2\x80\x9cInternal Controls and Data Reliability in the Processing of U.S. Army Payments\nThrough DDS.\xe2\x80\x9d We performed this audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\nassessment to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our objectives.\n\nThis is the third in a series of reports on our audit of Internal Controls and Data\nReliability in the DDS. We evaluated FY 2006 through FY 2009 commercial and\nmiscellaneous disbursement voucher data that the U.S. Army entered into DDS and the\ndisbursement documentation the U.S. Army stored at DFAS Rome. We applied the\nclassification guidelines contained in USCENTCOM Security Classification Guide 0501\nand reviewed DDS data and hard-copy documentation to determine whether it contained\nclassified information. We discussed our review of the disbursement data and\ndocumentation with U.S. Army and DFAS personnel. As a result, we determined that the\nU.S. Army had processed disbursement transactions that contain classified information in\nDDS and stored unmarked classified documentation in an inadequate storage facility.\n\nUse of Computer Processed Data\nWe relied upon computer-processed data obtained from DDS to perform this audit. We\nconfirmed that the classified information posted in DDS also existed on the hard-copy\ndocumentation stored at DFAS Rome.\n\nUse of Technical Assistance\nWe consulted with DFAS security officials to verify the security level of the warehouse\nused to store the documents at DFAS Rome. In addition, we consulted with DOD Office\nof Inspector General security officials to ensure that we did not compromise the security\nof the classified information\n\nPrior Coverage\nDuring the last 5 years, the DOD Office of Inspector General has issued one report\nregarding classified information processed by DDS. One can access unrestricted\nDOD Office of Inspector General reports at http://www.dodig.mil/audit/reports.\n\nDOD IG Report No. D-2009-054, \xe2\x80\x9cIdentification of Classified Information in\nUnclassified DOD Systems During the Audit of Internal Controls and Data Reliability in\nthe Deployable Disbursing System,\xe2\x80\x9d February 17, 2009\n\n\n\n\n                             FOR OFFICIAL USE ONLY\n                                       7\n\x0cDepartment of the Army Comments\n\n\n\n\n                      FOR OFFICIAL USE ONLY\n                                8\n\x0c\x0c\x0c\x0c\x0cFOR OFFICIAL USE ONLY\n          13\n\x0c                          Final Report\n                           Reference\n\n\n\n\n                        Management\n                        Comments on the\n                        Finding Page 4\n\n\n\n\nFOR OFFICIAL USE ONLY\n          14\n\x0cFOR OFFICIAL USE ONLY\n\x0c\x0c'